D H C S I N F O R M A T I O N

P R I V A C Y & S E C U R I T Y

T R A I N I N G

C A L I F O R N I A D E PA RT M E N T O F H E A LT H C A R E S E RV I C E S

P R I V A C Y O F F I C E R ,

O f f i c e o f L e g a l S e r v i c e s ( O L S )

I N F O R M A T I O N S E C U R I T Y O F F I C E R ,

I n f o r m a t i o n S e c u r i t y O f f i c e ( I S O )

P R I V A C Y O F F I C E

O f f i c e o f H I PA A C o m p l i a n c e ( O H C )

INTRODUCTION

Welcome to the DHCS Information Privacy & Security Training. This training is an annual requirement for all DHCS staff, as mandated by state and federal laws.

INTRODUCTION

As one of the largest health plans in the country, Medi-Cal is responsible for the health records of over 7 million beneficiaries. This training discusses state and federal laws that regulate the privacy and protection of information, as necessary to carry out the Department’s workforce functions.

T R A I N I N G O U T L I N E TRAINING MODULES – There are 15 training modules. You

must complete all of the modules before you log off or you will have to restart the training from the beginning.

QUIZZES – After each of the training modules, you will be asked to complete quiz questions. You must answer each question correctly before receiving your Training Certificate and Acknowledgement Form.

RESOURCES AND WEBSITE LINKS - There is a resource list provided at the end of the training with all the links and other resources used in this training.

CERTIFICATE AND ACKNOWLEDGEMENT FORM – Before logging out of the training, print the Training Certificate and the Security and Confidentiality Acknowledgement form. Then sign the acknowledgment form. The originals go to your Manager/Supervisor. Please keep a copy of each for your records.

T R A I N I N G M O D U L E S

1. I N T R O D U C T I O N

2. H I PA A O V E RV I E W

3. S TAT E L AW

4. A D M I N I S T R AT I V E S A F E G U A R D S

5. P H Y S I C A L S A F E G U A R D S

6. T E C H N I C A L S A F E G U A R D S

7. R E M O T E A C C E S S

8. M I N I M U M N E C E S S A RY

TRAINING MODULES(CONTINUED)

9. USE AND DISCLOSURE

10. ACCESS TO PATIENT RECORDS

11. BREACHES OF CONFIDENTIAL INFORMATION

12. SANCTIONS

13. ROLES AND RESPONSIBILITIES

14. SECURITY INCIDENT MANAGEMENT AND DISASTER DISCOVERY

15. CLOSE

H I P A A O V E R V I E W

H I P A A

The Health Insurance Portability and Accountability Act (HIPAA)was enacted by Congress in 1996 to improve the efficiency and effectiveness of our health care system by standardizing the electronic exchange and protection of administrative, financial, and health data.

W H Y H I P A A ?

An Atlanta truck driver lost his job in early 1998 after his employer learned from his insurance company that he had sought treatment for a drinking problem.

The late tennis star Arthur Ashe’s positive HIV status was disclosed by a healthcare worker and published by a newspaper without his permission.

Musician Tammy Wynette’s medical records were sold to National Enquirer by a hospital employee for $2,610.

W H Y H I P A A ?

Medical Identity Theft is a crime in which the thief uses someone’s identity to get access to medical services or goods. This may include using a name along with other information to get treatment and equipment.

In 2010, it was reported that 5.8% of Americans were victims of Medical Identity Theft. Medical Identity Theft has a significantly higher average cost per victim than other types of identity theft. The average victim deals with more than $20,000 in costs associated with the crime and may have to pay out-of-pocket costs to have their health insurance restored.

PRIVACY & SECURITY

The HIPAA PRIVACY RULE provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, it permits the disclosure of personal health information needed for patient care and other important purposes. 

The HIPAA SECURITY RULE specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information. 

COVERED ENTITIES

HIPAA applies to covered entities which include:

HEALTH PLANS

HEALTH CARE PROVIDERS

HEALTH CARE CLEARINGHOUSES

BUSINESS ASSOCIATES (BAs) - any entity that handles protected health information during the normal course of doing business for a covered entity. (DHCS BAs include Kaiser, Anthem Blue Cross, LA Care, etc.)

BUSINESS ASSOCIATES

Business Associates are persons or organizations that, on behalf of a covered entity, health plan or provider:

Perform any function or activity covered by HIPAA

Provide a service on behalf of a covered entity involving the transfer of PHI

PROTECTED HEALTH INFORMATION

Information protected under HIPAA is called P H I or Protected Health Information.

Protected Health Information is defined as any information, in any form, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that can be used to identify an individual.

DIRECT IDENTIFIERS

HIPAA describes a list of 18 direct identifiers that, along with a name, constitute individually identifiable information. If you have any one of these identifiers in your health information dataset, along with a name, you have PHI and it must be safeguarded appropriately.

For example: A name plus information that the person is on Medi-Cal would constitute PHI.

DIRECT IDENTIFIERS(Continued)

• Name• ddress – Street address, city,

county, zip code, or other geographic codes

• Dates directly related to patient (except year), including DOB, admission or discharge date

• Telephone and/or FAX Numbers

• Driver’s License Number• Email Addresses• Social Security Number • Medical ID Number / CIN

• Health Plan Beneficiary Number

• Account Number• Certificate/License number• Any vehicle or device serial

number, including license plates

• Web Addresses (URLs)• Internet Protocol Address• Finger or Voice Prints• Photographic Images• Any other unique identifying

number, characteristic, or code

• Age greater than 89

NOTICE of PRIVACY PRACTICES

HIPAA requires that a covered entity provide a NOTICE of PRIVACY PRACTICES (NPP) to its members.

The NPP tells the members what rights they have under HIPAA, including the right to access their records, and how their information may be disclosed.

STATE LAW OVERVIEW

STATE LAW

State law (the Information Practices Act) differs from Federal Law (HIPAA) in that it is more expansive. It covers more than Protected Health Information (PHI) and includes all Personal Information (PI).

PERSONAL INFORMATION

State law establishes requirements for DHCS on the collection, maintenance, and dissemination of Personal Information. Personal Information (PI) means any information that is not public and maintained by an agency that identifies or describes an individual.

PERSONAL INFORMATION( continued)

Examples of Personal Information include

NamesSocial Security NumberPhysical DescriptionHome AddressHome Telephone NumberEducationFinancial MattersMedical or Employment HistoryStatements made by or attributed to the Individual

CONFIDENTIAL INFORMATION

Information maintained by the Department that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws is considered Confidential Information.

All personal confidential information (PCI) is treated with the same privacy and protection as PHI / PII.

Under state and federal Medicaid law, information can only be disclosed for purposes directly related to the administration of the Medi-Cal Program.

SENSITIVE INFORMATION

Sensitive Information is information maintained by the department that requires an assurance of accuracy and completeness, as well as special precautions to protect from unauthorized use, access, disclosure, modification, loss, or deletion.

Though this information may not be individually identifiable, it must still be protected.

Examples of sensitive information include: Department’s financial transactions, Budget Change Proposals, and regulatory actions.

OTHER STATE & FEDERAL LAWS

There are additional state and federal laws that protect certain categories of information, such as mental health information, HIV/AIDS status, and substance abuse (alcohol and drug) treatment.

Before releasing information that falls in these categories to an outside entity, check with the DHCS Privacy Officer to be sure the release is legally permitted.

S A F E G U A R D S

S A F E G U A R D S

Sa f e gua rds a r e u sed t o p r o t e c t PHI , P I , Con f i de n t i a l I n f o r m a t i on , a nd Se ns i t i ve I n f o r m a t i on .

The re a r e t h r ee t ype s o f s a f e gua rds :

A D M I N I S T R A T I V E

P H Y S I C A L

T E C H N I C A L

A D M I N I S T R A T I V E

S A F E G U A R D S

ADMINISTRATIVE SAFEGUARDS

Administrative Safeguards are documented policies and procedures for day-to-day operations; managing the conduct of employees; accessing the state’s automated information systems and related devices; and managing the selection, development, and use of security controls.

ADMINISTRATIVE SAFEGUARDS

Some Administrative Safeguards include:

Data Policy

Information Privacy & Security Policies [e.g., SAM and HAM]

Guidelines for employees who access Internet and/or E-mail Information Privacy & Security Awareness Training

Banners warning against unauthorized use of information

ADMINISTRATIVE SAFEGUARDS

HEALTH ADMINISTRATIVE MANUAL

Administrative Safeguards are identified in the Health Administrative Manual (HAM), which incorporates the Department’s information privacy and security policies and requirements of the State Administrative Manual (SAM). HAM Sections 6-1000 through 6-1080 cover Information Privacy and Security Policy.

ADMINISTRATIVE SAFEGUARDS

HEALTH ADMINISTRATIVE MANUAL

Policies found in the HAM include:

Data Classification

Employee Responsibilities

Incident Reporting and Notification

Internet/Electronic Mail Policy

LAN Administrators Responsibilities

Management Responsibilities

Mobile Computing & Removable Storage Devices

Passwords

Operational Recovery Planning

Risk Management

Safeguards and Destruction of PCI and Sensitive Information

Security & ConfidentialityAcknowledgment

Training Requirements

And more. . .

ADMINISTRATIVE SAFEGUARDS

DATA POLICY

State and federal law, as well as Department policy, require that privacy and confidentiality of all personal, confidential and sensitive information, in whatever medium (oral, paper or electronic), be protected.

The Department considers all information about individuals private, unless such information is determined to be a public record. It is Department policy to protect privacy and prevent the loss of information through accident, misuse, sabotage, criminal activity, or natural disaster.

ADMINISTRATIVE SAFEGUARDS

DATA POLICY(continued)

The Department’s data release policy requires that a fully approved data release form be completed for all releases of confidential data to any entity outside DHCS. This applies to all documents in any media with PHI and PCI.

Every division has a Data Release Coordinator who is responsible for completing the forms and getting the signatures of the Division Chief, Privacy Officer, Information Security Officer and Data Owner.

The data policy also requires that when confidential data in physical form is received or sent to a different location, it must be logged on chain of custody logs.

ADMINISTRATIVE SAFEGUARDS

WARNING BANNER

You will see the warning banner each time you power up your PC.

All DHCS workforce members are bound by the terms contained in the warning banner at right.

No expectation of privacy exists when using a state computer.

Computer activity logs are maintained and reviewed on an ongoing basis.

WARNING: This is a State of California computer system that is for official use by authorized users and is subject to being monitored and/or restricted at any time. Unauthorized or improper use of this system may result in administrative disciplinary action and/or civil and criminal penalties. By continuing to use this system, you indicate your awareness of, and consent to, these terms and conditions of use. LOG OFF IMMEDIATELY if you are not an authorized user or you do not agree to the conditions stated in this warning

P H Y S I C A L

S A F E G U A R D S

PHYSICAL SAFEGUARDS

Physical Safeguards are security measures for protecting the Department’s information systems and confidential information, as well as related buildings and equipment from environmental hazards and unauthorized intrusion

PHYSICAL SAFEGUARDS

Some Physical Safeguards include:

Identification for all employees and visitors

Locked desk drawers, cabinets, rooms, and buildings

Shredding of confidential information

Using caution when printing, faxing, and mailing

Protecting mobile computing devices

PHYSICAL SAFEGUARDS

BUILDING SECURITY

Administration Division Policy Memorandum DHCS 07-28 outlines physical security at the East End Complex (EEC).

All persons are required to wear identification at all times.Employees expecting visitors should notify security guards.Contact security guards if you see an individual with no badge (permanent

or visitor).Do not hold or prop open secure doors for others.Immediately report lost or stolen employee badges to security staff and your supervisor.

PHYSICAL SAFEGUARDS

UNATTENDED AREAS

Employees should never leave personal, confidential or sensitive information unattended, even for a few minutes, including during working hours.

Unattended means that information and/or documents containing personal, confidential, or sensitive information are not locked up, or not within your sight.

Another staff member who is authorized to see the information may watch your personal, confidential, or sensitive information if they are in the immediate area.

PHYSICAL SAFEGUARDS

SECURING INFORMATION

HAM Section 6-1010.1 requires that personal, confidential, and sensitive information must be secured during non-working hours, even if the building is secure. For example:

Put documents in a locked drawer or Put documents in a locked drawer or filing cabinet

Do not leave personal, confidential or sensitive information unsecured in your office unless your office is locked

Do not leave personal, confidential, or sensitive information visible on top or under your desk Do not leave keys to cabinets, drawers, or office doors in a desk or any obvious place.

PHYSICAL SAFEGUARDS

CONFIDENTIAL DESTRUCT

When personal, confidential or sensitive information is no longer needed or required for business purposes, it must be secured and destroyed, and the destruction may require logging.

PHYSICAL SAFEGUARDS

CONFIDENTIAL DESTRUCT(continued)

Do not keep personal, confidential, or sensitive information (paper or electronic) longer than is necessary or required for business purposes.

Do not discard Department information at home, away from the Department, or in recycle bins or waste baskets.

Do not store documents awaiting destruction in your cubicle or office unless secured (e.g., locked cabinets or locked office, etc.).

PHYSICAL SAFEGUARDS

CONFIDENTIAL DESTRUCT(continued)

To prevent unauthorized access and misuse of PHI and PCI:

Secure documents and electronic media awaiting destruction (e.g., locked cabinets or locked office, etc.).

For paper documents use shredders or locked, grey, confidential destruction bins available throughout the Department.

For electronic media (e.g., CDs, discs, thumb drives, etc) contact your LAN Administrator. NOTE: “Delete” or “Erase” are not sufficient to remove all remnants of data from electronic media; data must be removed or wiped from the device according to Department policy.

Ask your supervisor if the destruction is required to be logged.

PHYSICAL SAFEGUARDS

LOCKED CABINETS

Put documents in a locked drawer or filing cabinet.

Do not leave keys to cabinets and drawers in desk or in any obvious place.

Do not leave PHI/PCI/Sensitive Information visible on top of or under desks unless your office is locked.

HAM 6-1050.2 states personal, confidential, and sensitive information must be locked during non-working hours even if the building is secure.

PHYSICAL SAFEGUARDS

P R I N T I N G

Do not leave print outs with PHI/PI/Sensitive Information sitting on the printer.

Deliver print outs to appropriate persons immediately or secure in your own desk.

PHYSICAL SAFEGUARDS

F A X I N G

(HAM Section 6-1050.4)Notify the recipient prior to sending a fax.Verify the fax number.Use a cover page with a confidentiality statement.Do not leave a fax with personal, confidential or sensitive information in the fax machine

PHYSICAL SAFEGUARDS

M A I L I N G

(HAM Section 6-1050.5)

Verify the address.

Personal, confidential or sensitive information should be placed in an envelope so that the information is not visible.

PHYSICAL SAFEGUARDS

M A I L I N G(continued)

RECORD – Keep a record of what you’re sending, such that you could re-create the information and/or send notices if the data is lost or stolen.

ENCRYPT - Ensure that personal, confidential or sensitive information on electronic media (e.g., disks, CDs, and other storage media) is encrypted before it is mailed.

LOG - When confidential data in physical form (e.g., paper, CDs, etc.,) is received from or sent to a different location, it must be logged according to the Division’s procedures.

TRACK – Use a delivery service with status tracking and delivery confirmation. For mailings with PHI or PCI of more than 500 individuals in a single package, use a delivery service.

PHYSICAL SAFEGUARDS

O R A L COMMUNICATIONS

Take reasonable steps to protect the privacy of all verbal discussions or interpreted exchanges (e.g., sign language) involving Department-owned confidential, personal and sensitive information.

PHYSICAL SAFEGUARDS

O R A L COMMUNICATIONS

Do not discuss Department-owned personal, confidential or sensitive information with those who do not need to know even if they work with you (e.g., co-workers, family, friends, etc.).

Always verify the identity and authority of persons before you discuss or exchange information.

When it is necessary to discuss personal, confidential or sensitive information, use enclosed offices, meeting rooms, or another location where unauthorized staff cannot overhear you.

PHYSICAL SAFEGUARDS

REMOVING PHI / PCI from the DEPARTMENT

When authorized purposes, such as business travel, teleworking, offsite meetings, etc., require that you remove Department-owned data in any form:

Only remove the minimum information necessary to get the job done.

Use only Department-issued IT devices (e.g., laptops, CD’s, thumbdrives, etc) when taking this information off-site.

All electronic data (e.g., laptops, CD’s, thumbdrives, etc.) must be encrypted.

Keep a record of what you remove from the Department, such that you could re-create the information or send breach notices if the data is lost or stolen.

P H Y S I C A L S A F E G U A R D S

REMOVING PHI /PCI from the DEPARTMENT( C o n t i n u e d )

Do not check documents or electronic devices in baggage on commercial airplanes. If documents need to be transported to remote locations, use a secure delivery method with a tracking system. NOTE: Whenever possible, use encrypted electronic devices rather than paper.

While enroute and when unattended at hotels and/or other travel destinations, physically secure paper document and electronic devices where not visible, to prevent theft and unauthorized access, viewing, and/or use.

Fully shut down (power off) laptops when unattended even in locked hotel rooms, meeting rooms, vehicle trunks, etc.

Documents should be shredded as soon as possible when no longer needed. Do not store or discard DHCS information offsite.

PHYSICAL SAFEGUARDS

MOBILE COMPUTING DEVICES

Examples of mobile devices:

Laptops,Tablet PC, PC Notebooks, USB storage devicePDAs, Palm, Blackberries,Trios, Camera phonesThumbdrivesMemory sticks/cards

PHYSICAL SAFEGUARDS

SECURITY of MOBILE COMPUTING DEVICES

All mobile devices must be encrypted and when taken off the worksite premises, must not be separated from employees at airports, automobiles, hotel rooms, etc.

Do not leave mobile devices unsecured.

When not being used, all mobile devices should be locked up.

Cable lock laptop to an immovable surface.

T E C H N I C A L

S A F E G U A R D S

T E C H N I C A L S A F E G U A R D S

Technical Safeguards are security measures that specify how to use technology to protect the information gathered, stored and transmitted from the Department’s electronic information systems, particularly by controlling access to it. Technical safeguards are accomplished, in part, by:

USING UNIQUE PASSWORDSENCRYPTIONINTERNET CONTENT FILTERINGLOCKING COMPUTER SCREENSLOGGING USER ACTIVITIES

T E C H N I C A L S A F E G U A R D S

DEPARTMENTAL LEVEL SAFEGUARDS

To protect and improve the networking environment, the Department implements many safeguards. Here are a few examples:Encryption – DHCS uses encryption standards that adhere to FIPS 140-2 standards, such as AES 256bit. Internet Content Filtering - protects the network and its users from malicious Internet Web sites by blocking access, enforces the “appropriate use” guidelines of the Policy, reduces the Department’s liability for misconduct, and improves productivity. Anti-Virus Software – DHCS uses anti-virus software to detect and prevent malicious software. All users receive a message on their computer screen when their computer is being checked. If you think your computer has a virus, contact your LAN Administrator or call the IT Service Desk at (916) 440-7000 or (800) 579-0874 to receive guidance. Security Patches – installs critical software security patches.Computer Usage Audit Logging – all network activity is logged and monitored.

TECHNICAL SAFEGUARDS

P A S S W O R D S

Best practice for creating a “strong” password: Avoid common references, e.g., your significant other’s name, pet’s name, birthday, favorite color, sequential (abc, 123, 5555), easy to guess, etc. Use a password that is at least eight (8) digits long Include at least three of the following:

• Upper Case Letters (A–Z)• Lower Case Letters (a–z)• Arabic Numerals (0-9)• Non-alphanumeric characters (e.g., !@&)

Do not use a word in the dictionary Have a unique password for each logon, and don’t use the same password for multiple systems

TECHNICAL SAFEGUARDS

P A S S W O R D S

Employees are responsible for the confidentiality and security of their passwords (See HAM 6-1010.2).

When using any Department or state system that requires you to log in

and use a password, adhere to the following:

Do not share your password with anyone (family, friends, manager, helpdesk, etc)

Do not write your password down.

Do not include your password in a data file, log-on script, or macro.

Change your password at least every 60 days, or sooner if you suspect it has been compromised.

Report any suspected unauthorized use of a password to your supervisor and the Information Security Office (ISO) immediately.

T E C H N I C A L S A F E G U A R D S

E N C R Y P T I O N

Proper encryption protects electronic confidential information such that if it is obtained by an unauthorized person, it cannot be read and its loss will not be considered a data breach. Encryption is applicable to data at rest, and data in transit. DHCS uses encryption standards that adhere to FIPS 140-2 standards, such as AES 256bit.

DHCS requires that all IT equipment and any accompanying data storage media that are used to access, store, or transmit personal, sensitive, or confidential information must consistently employ full disk encryption or file encryption.

IT equipment and accompanying data storage media includes, but is not limited to workstations, laptops, removable media and mobile/portable devices (such as, USB drives, floppies, CD/DVD, Blackberry, backup tapes, etc). Generally, all devices that can store data.

TECHNICAL SAFEGUARDS

ENCRYPTION(CONTINUED)

DATA at REST– Protect confidential information on computer hard drives, laptops, mobile devices, and removable media.

Use only Department issued devices to access, store, or transmit Department information. Validate the device has Department standard encryption in place before storing confidential data on it.

Use of non-Department devices or non-standard encryption methods requires prior approval from your Branch Chief and the ISO

Always “power-off” devices containing DHCS information, when they are unattended (e.g., vehicle trunks while traveling, hotel room, home office, etc.,). This way, even if the device is stolen the information cannot be read without the encryption password

TECHNICAL SAFEGUARDS

[SECURE] E-MAIL ENCRYPTION TECHNOLOGY

DATA in TRANSIT - Encrypt email messages while they travel from your computer to a computer outside the Department’s network.

Insert “[secure]” in square brackets anywhere on the e-mail subject line. As soon as you click “Send” the e-mail is sent to a secure website and immediately encrypted. Even if it is intercepted by a third-party, they will not be able to read it because you must have access to a key (password) that enables you to decrypt it.

If the recipient of your e-mail replies using the secure website reply button, their reply will automatically be encrypted

Other approved methods of securing data in transitinclude HTTPS, and Secure FTP. Contact ISO if you need assistance.

TECHNICAL SAFEGUARDS

SENDING PHI via E-MAIL

Always ensure delivery to intended recipient by checking e-mail address.

Only send the minimum necessary PHI/PCI/Sensitive Information.

Never send e-mail messages containing PHI/PCI/Sensitive Information outside of the Department unless you encrypt.

Insert a confidentiality statement at the end of your e-mail

TECHNICAL SAFEGUARDS

CONFIDENTIALITY STATEMENT

Below are examples of confidentiality statements that can be used with emails, faxes and other documents:

CONFIDENTIALITY NOTICE: The information contained in this E-Mail document is confidential and is intended only to be viewed by the recipient(s) listed above. If you are not the intended recipient(s), you are hereby notified that any distribution or copying of this document is strictly prohibited. If you have received this document in error, please contact the sender listed above and destroy the document(s).

CONFIDENTIALITY NOTICE: This facsimile transmission is intended only for the addressee shown above. It may contain information that is privileged, confidential, or otherwise protected from disclosure. Any review dissemination, or use of this transmission or any of its contents by persons other than the addressee is strictly prohibited. If you received this fax in error, please call the sender collect immediately and destroy the document(s). Thank you for your cooperation.

TECHNICAL SAFEGUARDS

AUDIT LOGGING

All employee computer activity is logged and has an audit trail. This is in compliance with state and federal laws and policies, and as a matter of best practice for accountability.

“Employees are granted access to the Department’s information to perform their job functions on a need to know basis. Employees shall have no expectation of privacy from Department monitoring and inspection in the use of Department resources…”

TECHNICAL SAFEGUARDS

C O M P U T I N G E Q U I P M E N T

Use Ctrl-Alt-Delete to lock your computer before you leave it unattended.

Store files on server/shared drives that are backed up; do not store on desktops.

Do not use computer equipment for any unauthorized purposes.

TECHNICAL SAFEGUARDS

L A P T O P S

Do not leave laptops unattended unless secure.

When not in use, place laptop in lockable storage. Do not store PHI/PCI/Sensitive Information on a laptop unless it is encrypted.

When taken off the worksite premises, cable lock laptop to an immovable surface or place in a secure location.

TECHNICAL SAFEGUARDS

INTERNET / EMAIL RESOURCES

Department employees are granted access to Internet and E-mail resources to provide education, research, marketing, procurement, and service opportunities in the performance of their duties.

Conduct all Internet and/or E-mail activities in a professional, lawful, and ethical manner. This includes the development of content for the Internet.

Support the use of existing infrastructure, technologies, procedures and standards in using, developing, or making information available on the Internet.

Employees shall be restricted from participating in mailing lists, discussion groups, newsgroups, list servers, or other interactive communications if such participation is excessive or is inhibiting overall network performance.

Accessing a personal or private Internet Service Provider for personal use while using any state equipment, or using non-state equipment for conducting state business, does not release an employee from the responsibility of complying with this policy.

TECHNICAL SAFEGUARDS

INTERNET / EMAIL RESOURCES(CONTINUED)

Examples of inappropriate use include, but are not limited to viewing, sending and/or downloading information that:

Contains defamatory, false, abusive, obscene, pornographic, profane, sexually oriented, threatening, racially offensive, or otherwise biased, discriminatory, illegal material. Violates agency or departmental regulations prohibiting sexual harassment, and/or discrimination.

Restricts or inhibits other users from using the system or the efficiency of the computer systems.

Uses departmental records for private gain, or divulges confidential departmental information or records unless officially authorized to do so.Only click on links in email if the email is work related, you are certain it came from a reliable source, or if you’re expecting the information.

TECHNICAL SAFEGUARDS

MOBILE COMPUTING DEVICES

When authorized to use mobile devices, such as laptops, Tablet PC, PC Notebooks, USB storage devices, Blackberries, Flash Memory (memory sticks & cards), camera phones, etc.:

Only download or store the minimum amount of PHI/PCI/sensitive information necessary to get the job done.

NOTE: Do not download or store social security numbers (SSN) unless absolutely necessary and only if the mobile device is encrypted.

Use only Department issued IT equipment. All non-state mobile computing devices require approval by your Branch Chief and the ISO before being connected to the network.

Encrypt all mobile devices or data.

Laptops must be connected to the network once every 30 days, in order to download latest security updates.

TECHNICAL SAFEGUARDS

REMEMBER

Tips to Remember when accessing DHCS information resources:

Always lock up paper documents and encrypt electronic media containing personal, confidential, and sensitive information.

Follow paper and electronic media destruction procedures.

Don’t use unsecured wireless networks.

Don’t download personal files and don’t check home e-mail accounts.If your job requires use of a social network website, don’t post any PHI/PCI or sensitive Department information on it.

Use only authorized software. Using non-standard software requires prior approval to ensure software is secure and to prevent violations of licensing and copyright infringement laws.

R E M O T EA C C E S S

REMOTE ACCESS

Remote Access involves using an externally located computer (e.g. home, hotel) to access DHCS e-mail, documents, and applications.

Remote access is most commonly used after hours, when travelling, or when teleworking (i.e., working from home).

Remote access is provided by one of the following DHCS systems:

Outlook Web Access (OWA): Access to e-mail, no licensing cost Citrix: Access to e-mail, folders and applications, licensing cost involved

RISKS of OWA

You should be aware of the information security risks associated with the two DHCS remote access methods:

Remote AccessMethod

Licensing Costs

Features DataSecurity

Level

Two FactorSecurity Available

Outlook Web Access (OWA)

No Limited, Browser based E-Mail, Calendar, & Contacts

Very Weak No

Citrix Yes Full Featured Outlook, Folders, SharePoint & more

Very High Yes

While free, OWA has a much higher risk of your password being stolen by hidden malware called a keylogger. If you have confidential data in your e-mail, it’s recommended that you not use OWA unless from a DHCS issued laptop.

Note: While not considered “remote access”, a DHCS managed Blackberry is a highly secure alternative to these methods, if your only needs are email, calendar, and contacts.

POTENTIAL RISKS

Remote access, while useful, also carries potential risks to both DHCS information assets, and the information assets of other business associates whose data is in DHCS custody.

Inappropriate exposure of confidential information to others may trigger federal and state breach notification laws. If triggered, DHCS is required to notify the appropriate authorities along with a press release. Violation of policies may also lead to employee disciplinary action.

Areas of concern include the following:

Inadvertent exposure of information to visitors, family, friends, etc.

Lost or stolen media, devices, or paper

Improper disposal of media and paper documents

Malicious software on non-DHCS computer that steals data

DOWNLOAD DANGERS

In this training, “data” refers to confidential/sensitive information, in both electronic and paper form.

Minimize downloading or taking any DHCS data outside the workplace.

Do not download DHCS data onto non-DHCS owned computers or mobile devices. This includes transferring data via thumbdrives, CD’s, etc.

Do not e-mail DHCS data to personal e-mail or other personally owned systems.

If uncertain what is permissible, consult with your supervisor or the Information Security Office (ISO) (iso@dhcs.ca.gov).

DATA SECURITY

Data in your possession (e.g., electronic, paper documents, or data visible on your computer screen, etc.,) must be secured from unauthorized access, including family members and friends.

When left unattended, secure data in locked cabinets, locked drawers, locked rooms. Do not leave in unattended vehicles or other locations where it may be easily stolen.

When using a mobile computer, use of a computer cable lock is recommended.

PAPER PRECAUTIONS

Paper documents are high risk because they cannot be encrypted.

Avoid printing documents or taking paperwork offsite unless absolutely necessary.

Documents should be shredded as soon as possible when no longer needed.

Work related documents should be kept in a separate location from any personal documents.

COMPUTER SECURITY

Non-DHCS computers (personally-owned, libraries, hotels, etc) are at an increased risk of having hidden, malicious software or “malware”, which is capable of stealing passwords and data and secretly logging all keystrokes (“keylogger”).

If using a home computer for remote access, ensure it has the following

Up to date Antivirus signatures

Monthly installed Security

Installed software or hardware firewall

TECHINICAL REQUIREMENTS

Ensure you have an active firewall to protect the computer from Internet based attacks. Software firewalls are included with Windows. Hardware firewalls (typically built into a “router”) are supplied by your internet provider or purchased.

For personally owned computers, setup automatic installation or notification of security patches, and ensure you update software such as Adobe Acrobat and Firefox on a monthly basis.

DHCS issued laptops must be reconnected to the DHCS network on a monthly basis to receive updates.

Do not use unsecured, open wireless networks.

SECURING THE COMPUTER SCREEN

It’s important to secure your remote access session from unauthorized access.

Password protect your computer screen when away from the computer by logging off, or using a screen lock password known only to you. Do not depend on the automatic timeout lock (Windows logo key + “L”, locks

immediately). If it’s suspected that someone viewed your password or watched you type it in, immediately change your password.

Choose difficult to guess passwords that are 8 characters or more, not in the dictionary of any language, and not similar to previous passwords.

SOCIAL ENGINEERING PRECAUTIONS

A common technique by hackers is to attempt to trick you by posing as an administrator or other person of authority.

Do not trust any individual who claims authority to access your data or password. Passwords should never be shared.

Do not click on links or attachments in email unless you are expecting the email or can validate it’s authentic. Do not click on links unless its work related and necessary to do so, the website may be fake.

If you have any doubt, contact the Information Security Office before complying with their request iso@dhcs.ca.gov.

R E M E M B E R

Remote Access security controls and policies protect DHCS data, and avoid state and federal law violations.

Ignoring, disabling, or working around DHCS security controls or policies can be grounds for disciplinary action. Remember that system logs retain a record of your activities.

If you are unable to perform your job duties within the existing DHCS security controls, contact your supervisor or the DHCS Information Security Office for guidance.

REMOTE CONTROL FEATURE

Most computers have a feature that allows technical support organizations to take remote control of your PC.

This should not be allowed at the same time you are in a remote access session with DHCS because the technical support professional can see everything on your screen.

SECURITY INCIDENTS

If a breach of security is suspected, you must immediately report it to the DHCS Information Security Office (iso@dhcs.ca.gov).

If you suspect DHCS confidential or sensitive data was viewed or received by an unauthorized individual, you must also notify the DHCS Privacy Office (privacyofficer@dhcs.ca.gov).

Make sure to keep your Manager or Supervisor informed.

M I N I M U M

N E C E S S A R Y

M I N I M U M N E C E S S A RY

Minimum necessary is a concept in HIPAA that ensures that the disclosure of PHI is limited to the minimum amount necessary in order to minimize risk to the security of data.

When disclosing PHI or PII:

Use the minimum amount of information necessary

Request the minimum amount of information necessary

Disclose the minimum amount of information necessary

Department staff access should be specific based upon the operational needs of each unit.

MINIMIZING USE

Staff should only request to inspect PHI necessary for job function, not the entire record, unless needed.

Copy only relevant parts of PHI.

Redact (blackout) PHI not relevant to the requested information.

Example: SSNs on applications that are copied and placed in files where the SSN is not needed should be blacked out.

M I N I M I Z I N G

R E Q U E S T & D I S C L O S U R E

When Minimum Necessary does NOT apply:

Health care provider for treatment

-Doctors can share entire medical charts to care for a patient

Individual who is the subject.

-Patients have the right to access all of their medical record.

Pursuant to an individual’s authorization.

-A patient can authorize any part or all of their medical record to be given to another party.

Disclosures to the Secretary of Health & Human Services.

When a disclosure is required by law, such as in response to a court order or subpoena.

U S E and D I S C L O S U R E of P H I and P C I

HIPAA MEDICAID & STATE LAW

U S E and D I S C L O S U R E of P H I under:

H I P A A

U S E & D I S C L O S U R E

U S E is the sharing, application, utilization, examination, or analysis of protected health information within a covered health plan or provider which maintains the information.

D I S C L O S U R E is the release, transfer, provision of access to, or divulging in any other manner of protected health information outside the entity holding the information

D I S C L O S U R E S O F D ATA

Managers must ensure that PHI/PCI/Sensitive Information is not released to external entities in violation of federal or state laws or regulations or Department policies.

All external data releases require approvals from a Data Release Coordinator, the Data Owner, Privacy Officer, and Information Security Officer.

See HAM Section 6-1030

TYPES OF USE & DISCLOSURE

Permitted uses & disclosures are allowed by HIPAA without the patient’s consent or authorization, and include:

TREATMENTPAYMENTHEALTH CARE OPERATI ONSHEALTH OVERSI GHTPUBLI C HEALTH

Required disclosures are mandated by HIPAA.

NOTE: If stricter state or federal laws for a specific program regarding use and disclosure exists, the more stringent law must be followed.

Y o u M a y U s e o r D i s c l o s e

P H I f o r T R E AT M E N T

Treatment is providing health care to an individual by a health care provider.

Treatment only applies to health care providers.

Minimum Necessary does NOT apply.

You May Use or Disclose

PHI for PAYMENT

Payment is the compensation for services and include activities to obtain:

Premiums if you are a health plan

Money for services if you are a provider

Minimum necessary applies

Y o u M a y U s e o r D i s c l o s e

PHI for HEALTH CARE OPERATIONS

Health Care Operations (HCO) are those activities that support treatment and payment. For example:

P r i o r A u t h o r i z a t i o n s

I n t e r n a l A u d i t i n g

M a n a g e m e n t R e v i e w s

A d m i n i s t r a t i v e A p p e a l s

Minimum Necessary applies

O T H E R

HIPAA PERMITTED DISCLOSURES

To Health Oversight Agencies

- That are authorized by law to conduct certain oversight activities.

- Examples: Department of Justice, Federal Bureau of Investigation, Office Inspector General, Medical Board, Dental Board

To Public Health Authorities

- That are authorized by law for the purpose of preventing or controlling disease, injury or disability

R E Q U I R E D D I S C L O S U R E S

Disclosures must be made to:

Individuals requesting a copy of their own PHI

Secretary of the U.S. Department of Health and Human Services

JUDICIAL & ADMINISTRATIVE

PROCEEDINGS(45 CFR 164.512 (e))

When the Department is a plaintiff or defendant in a lawsuit, PHI may be disclosed as part of program operations.

Program rules for disclosures apply, such as Minimum Necessary

JUDICIAL & ADMINISTRATIVE

PROCEEDINGS(45 CFR 164.512 (e))

Permissible Disclosures of PHI, where it may be disclosed:

In response to an order of a court or administrative tribunal when DHCS is not a party.

In response to a subpoena, discovery request, or other lawful process if reasonable efforts have been made to ensure that the individual has been given notice of the request or reasonable efforts have been made to secure a qualified protective order.

U S E and D I S C L O S U R E of P H I under:

MEDICAID & STATE LAW

PREEMPTION(45 CFR Subpart B)

HIPAA Privacy Rule is a national floor of privacy protection; it does not preempt the field in medical privacy.

If there is a state statute or regulation which:

1) Affords greater protection to an individuals’ privacy, or

2) Provides a greater right to the individual to access their own records.

THEN that law prevails over HIPAA.

M e d i c a i d L a w( W e l f . + I n s t . C o d e 1 4 1 0 0 . 2 )

U S E S & D I S C L O S U R E S

Medi-Cal uses and disclosures are limited to:

- The individual regarding his/her own PHI

- Purposes directly connected to the administration of the

Medi-Cal Program

Purposes directly connected to Medi-Cal administration include:

-Determining eligibility and reimbursement

-Providing services to recipients

-Conducting or assisting investigations, prosecutions or

proceedings related to Medi-Cal

-Third Party Liability activities

-Audits and legislative investigations

M E D I - C A L S U B P O E N A S

The Medi-Cal Program does not usually respond to subpoenas for PHI:

Unless it directly relates to the administration of Medi-Cal, or:

Unless it is required by a court order

Suggest the individual beneficiary / personal representative requests the PHI through the individual Access Policy

(See the Notice of Privacy Practices)

RELEASES TO

RESEARCHERS

RESEARCH means a systematic investigation designed to develop or contribute to generalizable knowledge.

If contacted by a researcher, you must immediately refer them to the Data and Research Committee.

Program evaluation may become research when the contractor intends to publish the results.

Research proposals involving Department data and/or beneficiaries need to be approved by the Committee for Protection of Human Subjects (CPHS) in the Health & Human Services Agency.

C A L I F O R N I A C I V I L C O D E( 1 7 9 8 . 2 4 )

A State Agency may release PCI:

1) To the individual to whom record pertains2) With prior written voluntary consent3) To the guardian or conservator or authorized

representative, if documented4) To a governmental entity when required by law5) Pursuant to the Public Records Act6) For compelling health or safety reasons7) Subpoena or court order if agency attempts to notify

individual beforehand8) To law enforcement or regulatory agency9) Research

D I S C L O S U R E S o f

C O N F I D E N T I A L D AT A

Managers must ensure that PHI/PCI/Sensitive Information is not released to external entities in violation of Federal or State laws/regulations, or Department policies.

All external data releases require completion of a Data Release Coordinator, the Data Owner, Privacy Officer, and Information Security Officer.

Some programs have additional requirements for use and disclosures.

Check with your manager/supervisor and Privacy Office if you have additional questions.

A C C E S S T O B E N E F I C I A R YR E C O R D S

RIGHT TO ACCESS

Individuals have a right to access information about themselves that is maintained by any health plan, provider or the Department. The Department must provide access or make copies of the records it creates or maintains, and mail to the individual upon request.

EXAMPLES OF

DEPARTMENTAL MEDICAL RECORDS

• Claim Detail Report (CDR)• Surveillance Utilization Review Subsystem (SURS)• Treatment Authorization Request (TAR)• Managed Care Records (premium payments,

enrollment records)• Medical Case Management Records• Enrollment/Disenrollment forms• Application Forms • Eligibility Records

ACCESS ASSIGNMENTS

For Medi-Cal, access is granted as follows:

Electronic Data Systems (EDS) Claim Detail Reports (CDR)/SURS

Medi-Cal Operations TARS, Medical Case Management, etc.

Managed Care Managed Care Records

Medi-Cal Dental Services Branch Medi-Cal Dental Records

Third Party Liability (TPL) CDR information dated back 10 years in microfiche and/or cold storage

Eligibility Division Eligibility Records

WHO MAY ACCESS MEDICAL RECORDS?

• INDIVIDUALS (beneficiaries, patients, clients) participating in a health plan or program in the Department will receive a Notice of Privacy Practices (NPP) telling them how to access their records

• An Authorized Requestor may also access a beneficiary’s records with proper legal authority

• NOTE: State laws should be examined with regard to minors. See Access Policy and Family Code for discussion

REQUEST FOR ACCESS TO PHI

• The Department requires that requests for access be in writing using an Access form found on the Privacy Office website:

• Requests for Access by an Individual require a 6236 Access Form• Requests for Access by a parent, guardian, executor of will, conservator or

person with medical power of attorney require a 6237 Access Form• Authorizations for personal representatives (including legislator, requests

from the governor’s office) require a 6247 Authorization Form

AUTHORIZATIONS FOR PHI ACCESS

• 6247 AUTHORIZATIONS are required for disclosures of PHI to personal representatives or entities for purposes outside of permitted and required uses and disclosures

• The individual has a right to revoke a previous authorization• No one can make an individual sign an authorization as a condition for

treatment• A personal representative may sign for a minor child, incompetent adult, or

deceased beneficiary

HIPAA VALID AUTHORIZATIONS

The 6247 authorization form must include:• Patient/Beneficiary information• Description of PHI• Who the PHI is to go to • The purpose for the requested PHI• Expiration date of the authorization• The signature of the individual whose PHI is being requested• Copy of beneficiary identification or notarized patient/beneficiary

signature

REQUEST FOR PHI ACCESS

The Department:• Will respond to individual requests within 30 days after receiving the

request• Will require proof of identity and address of requestor• May charge fee for copying

Authorized Requestor shall be treated like the individual with regard to access to the relevant information but must have proper authorization, regardless of their title of designation.

Before fulfilling a request for beneficiary information, each of the sections on the form must be filled out and proper identification must be shown.

REQUEST FOR PHI ACCESS• After releasing beneficiary information to any person or entity external to DHCS,

DHCS programs should document the release including the date of release; beneficiary’s name, address, and phone number; and the MEDS ID, CIN, or SSN type of information that was released.

• Releases to other divisions with DHCS do not require documentation (though it is always a good business practice).

• Sample Access Request Log (Also available on DHCS Privacy Office Website ‘Employee’s Use section’):

Date of Valid Request

Requestor Requestor’s Address

Requestor’s Phone #

Beneficiary/Patient Name

CIN# Type of Information

Date of Release

1/1/2011 John Smith 1 Main St. 111-111-1111 Joe Smith 12345678 TAR 1/15/2011

VERIFICATION OF IDENTITY FOR TELEPHONE REQUESTS

Requests for information via the phone may be accepted. However, all individuals requesting information must be verified for the right to obtain that information.

If an individual beneficiary is calling:• Ask for information you have available on file such as the Medi-Cal ID

card, SSN, date of birth, phone number and address.• Use professional judgment when disclosing PH over the phone.

If a provider is calling:• Verify that belongs to the provider that is calling.

IN CASE OF EMERGENCY

• If a program beneficiary is incapacitated and unable to consent,• If there is an emergency requiring immediate care, and• If in supervisor’s professional judgment, disclosure is in the best interest of

the beneficiary

THEN, the program may disclose PHI to any of the following over the

telephone without the beneficiary’s consent:

• A family member, other relative, close friend of the beneficiary• Other person where PHI is directly related to their involvement in care or

payment for the beneficiary

B R E A C H E S O FC O N F I D E N T I A L I N F O R M A T I O N

RESPONSIBILITY & PREVENTION

With the growing rate of identity theft, laws continue to emerge to protect individuals’ information.

It is everyone’s responsibility in the Department to protect the confidential information we collect and maintain in order to avoid breaches of information.

P R I V A C Y B R E A C H

A privacy breach is an unauthorized disclosure of PHI/PCI that violates either federal or state laws.

Federal: HIPAA Privacy Rule

State: California Civil Code 1798

Privacy Breaches may be paper or electronic and may occur when information is transmitted to an unintended or unauthorized recipient

EXAMPLES OF

PAPER BREACHES

Misdirected paper faxes with PHI/PCI outside of the Department

Loss or theft of paper documents containing PHI/PCI

Mailings with PHI/PCI to incorrect providers or beneficiaries

EXAMPLES OF

ELECTRONIC BREACHES

Stolen, unencrypted laptops, hard drives, PCs with PHI/PCI.

Stolen, unencrypted thumb drives with PHI/PCI.

Misdirected electronic fax with PHI/PCI to person outside of authorized state government.

IMMEDIATE ACTION REQUIRED

Federal and State law require that if there is a breach of PHI/PCI, notice must be given to the affected individuals “in the most expedient time possible and without unreasonable delay” is there is a “significant / substantial risk of harm”.

Managers/Supervisors/Staff must take action to report suspected breaches IMMEDIATELY.

REPORTING

PRIVACY BREACHES

DHCS employees must take immediate action and report (by phone or email) all privacy breaches to:

Your Supervisor

DHCS Privacy OfficeEmail: privacyofficer@dhcs.ca.govPhone: (916) 440-7750Fax: (916) 440-7680

DHCS Information Security OfficeEmail: iso@dhcs.ca.govPhone: (916) 440-7000 (IT Service Desk)

PRIVACY COMPLAINTS

Individuals have the right to complain about a violation of Privacy or Security policy, whether they are a patient, member of the workforce, or other business associate.

The DHCS Privacy Office handles all complaints from Medi-Cal beneficiaries and employees and treats all allegations of privacy violations seriously. They investigate a variety of complaints regarding suspected misuse, disclosure or disposal of PHI/PCI/Sensitive information.

DHCS Privacy OfficePhone: (916) 445-4646Email: privacyofficer@dhcs.ca.gov

Complaints should be filed on the DHCS Complaint Form 6242. The information will remain confidential to the extent possible.

S A N C T I O N S

S A N C T I O N S

HIPAA requires the Department to develop sanctions for employee violations of privacy and security policies and procedures.

Sanctions associated with violations of Department privacy and security policies will be pursued within the state disciplinary process.

There are civil and criminal penalties for violating provisions of the HIPAA Privacy and Security Rules as well as State Law.

STATE DISCIPLINARY PROCESS

In order to hold an employee accountable for violation of any policy or procedure, employees must receive adequate training on the policies and procedures.

State Disciplinary System calls for three phases of discipline:

1) Prevention

2) Corrective Action

3) Disciplinary or Adverse Actions

CIVIL & CRIMINAL PENALTIES

HIPAA civil money penalties apply to covered entities and its employees.$100 - $50,000 or more for single violation, up to $1,500,000 for multiple violations in 1 year.Criminal Penalties for knowingly obtaining, using or disclosing PHI in violation of HIPAA.Fine up to $50,000, imprisonment up to 1 year or both.Under false pretenses, fine up to $100,000, imprisonment up to 5 years or both.Intent to sell, transfer or use PHI for commercial advantage, personal gain, or malicious harm, fine up to $250,000, imprisonment up to 10 years, or both.

EXAMPLES OF

EMPLOYEE VIOLATIONS

Employee discusses the name of a beneficiary with friends

Employee uses PHI to Send a Birthday Card

Employee sells names and addresses from MEDS or any system containing confidential information to a Marketing Firm

Employee gets confidential medical information from MEDS about an ex-spouse and uses or discloses it for personal reasons

Employee takes or sends protected information in an unencrypted format or without approval, regardless of the reason

R O L E S

a n d

R E S P O N S I B I L I T I E S

R O L E S & R E S P O N S I B I L I T I E S

EVERYONE in the Department has a role and responsibility to protect the personal, confidential and sensitive information collected and stored by the Department.

R O L E S & R E S P O N S I B I L I T I E S

The Director has ultimate responsibility for information technology (IT) security, risk management, and privacy within the Department. The Director is responsible for the implementation of, and compliance with, the state security policy and is accountable for the computerized information resources held by the Department. The Director is also responsible for the integrity of computerized information resources and the authorization of access to those resources. However, all Department employees share in this responsibility.

R O L E S & R E S P O N S I B I L I T I E S

The Department’s Chief Information Officer (CIO), Information Technology Division, is responsible for technical management of all aspects of the Department’s information resources and IT systems.

This includes:Implementing the necessary technical safeguards to preserve the security, privacy, and integrity of the Department’s information assets and manage the risks associated with those assets

Acting as a custodian of information

ROLES & RESPONSIBILITIES

The Privacy Officer (PO) is responsible for the privacy of all data maintained by the Department and for compliance with state and federal privacy laws, including the HIPAA, the Medicaid Act, and the IPA.  The PO is responsible for creation and maintenance of privacy policies related Department confidential data. The PO approves corrective action plans when privacy incidents and breaches occur involving confidential Department data.

R O L E S & R E S P O N S I B I L I T I E S

The Chief of the Privacy Office (Chief) manages the Privacy Office and its staff.  The Chief is responsible for all operational aspects of the Privacy Office.

The Privacy Office responds to e-mail addressed to PrivacyOfficer@dhcs.ca.gov. The Privacy Office investigates breaches involving unauthorized disclosure of confidential information and is responsible for training all Department staff on privacy and security standards.  The Privacy Office processes privacy complaints related to the Medi-Cal Program and performs internal and external privacy audits.

R O L E S & R E S P O N S I B I L I T I E S

The Information Security Officer (ISO) has oversight responsibility at the Department level for ensuring the integrity and security of automated and paper files, databases, and computer systems.  The ISO is required to oversee Department compliance with policies and procedures regarding the security of information assets. The ISO is also responsible for the training of employees to comply with the state, federal and Department Policy Information Security requirements.

R O L E S & R E S P O N S I B I L I T I E S

Managers/Supervisors are responsible for: Authorizing access to PHI/PCI/Sensitive Information Authorizing access to various IT systems Providing and routinely discussing policies with staff Enforcing compliance with policy Taking appropriate action for non-compliance Ensuring staff complete Information Privacy and Security

Training and maintaining copies of:

– ‘Training Certificates of Completion’ – ‘Security & Confidentiality Acknowledgment’ (signed annually by each employee)

R O L E S & R E S P O N S I B I L I T I E S

All Employees are responsible for the security of their assigned Department rsources (i.e. desktop, laptop, mobile devices, etc.) and the information in their control. This includes:

Using due care to preserve data integrity and confidentiality when accessing Department information.

Taking appropriate precautions to prevent unauthorized access or destruction of the Department’s information.

Using Department assets and resources for business purposes.

Completing the annual Information Privacy and Security Training and signing the Certificate of Completion.

Annually reading and signing the Security & Confidentiality Acknowledgment form and giving it to your supervisor.

R O L E S & R E S P O N S I B I L I T I E S

All employees are required to read the Information Privacy & Security Policy found at HAM 6-1000 et seq., and employees must annually sign the Security and Confidentiality Acknowledgment form (See HAM 6-1000.6).

Managers/Supervisors are required to maintain the original signed Security and Confidentiality Acknowledgement forms in their unit files for all their employees using or otherwise having access to the Department’s information.

----------------------------------------------------------------------------------------------------------------------------- --------- State of California - Health and Human Services Agency SECURITY AND CONFIDENTIALITY ACKNOWLEDGMENT 6-1000.6 I have read the Information Security Policy and will comply with the security requirements indicated in the policy. Also, I understand the need to: 1. Exercise due care to preserve data integrity and confidentiality. 2. Treat passwords as confidential information and change them on a regular basis to help insure that

security is maintained. 3. Take reasonable precautions to ensure the protection of DHS data from unauthorized access or

destruction. 4. Conduct regular virus checks to help avoid contamination of DHS data files. 5. Notify my supervisor and the DHS Information Security Officer of a possible security violation

including unauthorized access, loss or destruction of equipment, misuse, theft, possible virus, etc. (see Section 5350 of the State Administrative Manual).

Employee name (please print):

Division: Telephone Number:

Employee’s signature

Date:

Supervisor’s Signature (permitting access)

Date:

SEC UR ITY INC IDENT MANAGEMENT& DISASTER R EC OVERY

SECURITY INCIDENTS & BREACHES

A security incident is an actual or suspected occurrence of:

• Damage, destruction, unauthorized access or disclosure of Department equipment or information• Theft, or even attempted theft, or loss of Department equipment or

information• Fraud, embezzlement, misuse or inappropriate use of state property• Apparent detection of a computer virus on a state computer

For example, theft of a computer or other IT equipment or device is a security incident and must be reported to the Information Security Office (ISO) immediately.

It must be determined if the computer contained PHI/PCI/sensitive information, and whether it was encrypted. If PHI/PCI/sensitive information was present, the incident may also be a breach of confidential information and must be reported to the Department’s Privacy Office. The Privacy Office is responsible for directing notification to the individuals whose information was breached.

SECURITY INCIDENTS & BREACHES(CONTINUED)

Suspected or actual incidents involving PHI/PCI/Sensitive information include, but are not limited to, the following:

• Faxes or emails to incorrect providers, organizations, beneficiaries, or individuals.

• Mis-sent or lost documents or any form of protected information• Unauthorized viewing, access, or disclosure• Mailings to incorrect providers, organizations, beneficiaries, or individuals.• Unencrypted emails• Disclosures greater than minimum necessary• Password sharing

Report all suspected or actual incidents involving PHI/PCI/Sensitive information to the Information Security Office and Privacy Office immediately.

REPORTING

Federal and State regulations require the Department to follow specified notification and reporting processes when security incidents and / or privacy breaches occur. “…It is Department policy to maintain a record of security incidents and breaches and employ security measures that preserve the privacy of confidential, personal, or sensitive information and prevent the release or destruction of confidential, personal, or sensitive information through theft, loss, damage, unauthorized destruction or modification, unintentional or inappropriate release, misuse, accident, sabotage or other criminal activity, or natural disaster.”

REPORTING DIRECTIONS

Notify your manager/supervisor immediately. The manager/supervisor shall notify the Division Chief via the chain of command.

Report it to the ISO immediately, using one of the following: email iso@dhcs.ca.gov, or Call the IT Service Desk (M-F 8am-5pm) (916) 440-7000 or (800) 579-0874

Report it to the Privacy Office immediately, using:

email privacyofficer@dhcs.ca.gov.

Report the following information: Name and title, Division/Program Contact phone number and address The primary business processes involved How the incident was carried out, if known The steps that have been taken to mitigate or remediate the incident What evidence is available to assist in the investigation.

Remain available at your contact phone number for consultation.

DISASTER PREPAREDNESS

Another kind of incident is a large-scale disaster (such as flood, fire, earthquake, etc.). In the event of a disaster, the Department will implement its Disaster Recovery Plan to provide for continuity of critical business functions. Employee safety and security is a top priority in implementing a successful plan. For instructions during such an emergency, employees should call:

Emergency Information HotlineDHCS (8 6 6) 2 7 3 – 1 3 4 4 In addition, make sure you are personally and professionally prepared for an emergency. Imagine being unable to get into your building/office for 30 days.

Items to consider… Staff and co-worker’s personal contact information Customer contact information If authorized, know how to get to State resources such as Outlook Web Access for email and Citrix for application access

DISASTER PREPAREDNESS AT HOME

On a personal level, consider:

Meeting with your family to discuss how to prepare and respond to a disasterPlanning how your family will stay in contact if separatedCompleting these steps:

Post emergency numbers on each phone Show responsible family members where to shut off utilities Install (and test) smoke detectors on each level of your home Contact your local fire department and learn about in-home fire hazards Learn first aid and CPR

Meeting with your neighbors and plan how the neighborhood could work together after a disaster

Knowing your neighbor’s skills (medical, technical)Special needs such as elderly, disabled, or child care

C L O S E

R E V I E W

Read Chapter 6 in the HAM.

Read and understand your division’s operational policies and procedures. Your supervisor can provide these for you.

Familiarize yourself with the content of each website reference.

Q U E S T I O N S

Read the Notice of Privacy Practices for your program.

Discuss the situation with your manager or supervisor.

Contact the DHCS Privacy Office

E-mail: privacyofficer@dhcs.ca.gov

Phone: (916) 445-4646

WEBSITE REFERENCES

Please print the next three screens as a resource to find manuals, documentation, and forms that have been referenced in this presentation.

Privacy Office website: http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/default.aspx

Information Security Office website: http://dhcsintranet/technology/ISO/Pages/Home.aspx

Notice of Privacy Practices: http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/NoticeofPrivacyPractices.aspx

WEBSITE REFERENCES

The DHCS Privacy Incident Report formis available on the Privacy Office website. On the Privacy Office website, you can also find forms for: Access (6236), Amendment (6238), Complaint (6242), and Authorization (6247)

Department of Health & Human Services FAQ: http://www.hhs.gov/hipaafaq/

East End Security: http://dhcsintranet/FormsPubs/Documents/AdminMemos/dhcs07-28.pdf

Federal Office for Civil Rights HIPAA Homepage (Enforcement, Privacy & Security Rules): http://www.hhs.gov/ocr/hipaa/

WEBSITE REFERENCES

California Office of Privacy Protection:

www.privacy.ca.gov

Secure Encryption http://itsd.int.dhs.ca.gov/ei/encryption/

Centers for Medicare and Medicaid Services Homepage:

http://www.cms.hhs.gov/

Emergency Information Hotline DHCS:

1 – 8 6 6 – 2 7 3 – 1 3 4 4

INFORMATION PRIVACY & SECURITY

T R A I N I N G

C A L I F O R N I A D E PA RT M E N T O F H E A LT H C A R E S E RV I C E S

T h e

E N D